SSL Decryption
If SSL-Decryption is not enabled, then the firewall cannot tell what applications is inside the SSL connection, or the application shifts that are occuring within the connection. *SSL-encrypted traffic is decrypted for visibility, control, and granular security. *inbound and outbound SSL can be decrypted *Can occur on interfaces in Virtual Wire or Layer 3 mode. 'SSL FORWARD PROXY: (aka: Outbound SSL traffic)' The firewall acts like a man-in-the-middle in which device certificates are installed in the user's browser. *Intercepts outbound requests, and generates a certificate on the fly for the site the client was going to. *Validity date on the self-signed certificate is taken from the validity date on the real server certificate. *The issuing authority of the self signed certificate is the PAN device. If the firewall certificate is not part of an existing hierarchy or is not added to the client's browser cache, then the client will receive a warning message when browsing to a secure site. *If the real server certificate has been issued by an authority not trusted by the PAN firewall, then the decryption certificate will be issued using a second "untrusted" CA key. It insures the user will be warned if there are subsequent man-in-the-middle attacks occuring. 'INBOUND SSL TRAFFIC:' The PAN needs the same certificate as the Server. When a request arrives, the PAN will forward it to the server. The server will build a connection to the end user. But because the PAN has that certificate too, it can decrypt the data as it is passing.' ' The PAN-OS will not act as a proxy with SSL traffic matching the policy. PAN-OS will try to decrypt this SSL traffic on the fly, by eavesdropping the SSL handshake and using assocated Certificate (Key Pair) configured in decryption policy. Policy-based identification, decryption, and inspection of inbound SSL traffic can be applied to ensure that applications and threats are not hiding within SSL traffic. A server certificate and private key are installed on the PAN to handle decryption. *Intercepts outbound requests, and generates a certificate on the fly for the site the client was going to. *Validity date on the self-signed certificate is taken from the validity date on the real server certificate. *The issuing authority of the self signed certificate is the PAN device. If the firewall certificate is not part of an existing hierarchy or is not added to the client's browser cache, then the client will receive a warning message when browsing to a secure site. *If the real server certificate has been issued by an authority not trusted by the PAN firewall, then the decryption certificate will be issued using a second "untrusted" CA key. It insures the user will be warned if there are subsequent man-in-the-middle attacks occuring. Base64 ''' *a group of binary-to-text encoding schemes that represent binary data in a ASCII string format by translating it to a radix-64. **ASCII = American Standard Code for Information Interchange *Commonly ysed when there is a need to encode binary data that needs to be stored and transferred over media that is designed to deal with textual data. '''PEM (Privacy-enhanced Electronic Mail) *Base64 encoded DER (distinguished encoding rules) certificate. PEM file is a printable version of the DER file. *PEM includes encryption, authentication, and key management, and allows use of both public-key and secret key cryptosystems. **enclosed between " ---being certificate---" and " ---end certificate--- " 'Certificate' *In order to apply SSL decryption, it is going to require the CSR to be signed and imported. *Without receiving one froma public PKI provider the only other option would be to create a self-signed CA, which clients will be prompt to the certificate page. 'GENERATING A CSR:' Device -> Certificate Management -> Certificates #Click the "Generate" button at the bottom #fill in the Certificate Name, Common Name, and "External Authority '(CSR)" for signed by. #Complete the rest of the info for details like Country, Org, etc. Check with your CA for their requirements regarding CA formatting and criteria. #Click on Generate. 'EXPORTING THE CSR: #Select the Certificate by highlighting it #Click the export but button #Send the exported CSR to the certificate authority. The CA will respond with a signed certificate. 'IMPORTING THE SIGNED CERTIFICATE': #The certificate name is case sensitive, make note of it. #Click the import button #Enter the cert name, it must be exact. #Browse to the signed certificate received from the CA and click ok. #DO NOT click on import private key check box (the private key is on the firewall) #Depending on the certificate authority used, it may be required to chain the intermediate certificate with the server certificate. #Click OK. The cert should appear valid and the key check box is selected. 'VIEW/DELETE CRL and OCSP CACHE:' Certificate Revocation List (CRL) and Online Certificate Status Protocol (OCSP) each maintains a list of certificates which hvae been revoked by the Certificate Authority. If the private key assocated with a certificate is lost or exposed, than any authentication using that certificate should be denied. Or if someone leaves the company or changes names, their certificates are replaced and the old certs are marked as invalid. The purpose of CRL or OCSP is to maintain the lists of certs which are valid but have been revoked. Those lists are cached on the Management and Data plane on the firewall. TO VIEW THE CRL/OCSP CACHE: > debug sslmgr view crl > debug sslmgr view ocsp all | TO DELETE CRL/OCSP CACHE: (on management plane) > debug sslmgr delete crl all | > debug sslmgr delete ocsp all | TO DELETE CRL/OCSP CACHE: (on data plane) > debug dataplane reset ssl-decrypt certificate-status TO CHECK CRL and OCSP STATISTICS: > debug sslmgr statistics 'SSL Decryption Configuration:' #Configure appropriate interfaces into either Virtual Wire or Layer 3, and device must be inline in the network #Install the proper certificates on the firewall #Configure SSL Decryption rules #Enable SSL Decryption notification page (optional) #Commit changes and test. 'Commands:' Provides information about the process/actions taken on the packets going through the device; if they are dropped, NATed, decrypted, etc. These counters are for all the traffic going through the device. *''> show counter global'' HoW TO VIEW DECRYPTED TRAFFIC: > show session all filter sll-decrypt yes 'Tech Doc:' 'How to implement SSL Decryption:' *https://live.paloaltonetworks.com/docs/DOC-1412 'SSL Forward-Proxy and Inbound Inspection Decryption mode:' *https://live.paloaltonetworks.com/docs/DOC-6051 'SSL Forward Proxy (man in the middle):' *https://live.paloaltonetworks.com/docs/DOC-1327